漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Shescape Inefficient Regular Expression Complexity vulnerability
Vulnerability Description
Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
CWE-1333
Vulnerability Title
Shescape 输入验证错误漏洞
Vulnerability Description
Shescape是开源的一个用于JavaScript的简单外壳转义程序包。使用它可以将用户控制的输入转义给shell命令,以防止shell注入。 Shescape v1.5.10之前版本存在输入验证错误漏洞,该漏洞源于Shescape 中的两个正则表达式容易受到正则表达式拒绝服务 (ReDoS) 的影响,攻击者利用该漏洞可以在输入字符串长度方面导致多项式回溯或二次运行。
CVSS Information
N/A
Vulnerability Type
N/A